On Sat, 2003-03-29 at 15:35, george donnelly wrote:
In fact, I was auditing one of
my own sites and stumbled across a variant of this technique that allowed arbitrary access to virtually any object on the server. Yikes!
I'm not so sure its because of this...
What do you think it might be?
2. Use different roles for different groups of users. Create site-specific, function-specific roles like site1_admin, site2_admin, site1_user, etc. Use server-wide roles sparingly and define them narrowly (send_mail, add_user, etc).
I tested this out and found it did not work. I had two folders (folder1, folder2) side by side in the same container (folder). I gave a user in folder1 the role X_admin, which role had all the same perms as manager. this is the only role this user had. this user was still able to call folder1/folder2 and do what he liked in folder2.
I'm not sure if there's enough information to know what you're saying, exactly. That won't stop me from responding, though. :-) The roots of most virtual hosts are going to be viewable by Anonymous, as will much of their content. As such, those objects can be acquired at will by anyone. It's very difficult to prevent acquisition from allowing the *viewing* of objects cross-site since keeping these things viewable by Anonymous is pretty darn convenient. In many situations, it could be condidered a problem that it's possible to make any part of site2 *appear* to be a part of site1... but again, that's a problem that boils down to two sites sharing the same role, Anonymous. I'm not saying that creating different Anonymous roles is warranted, BTW... but as far as I can tell, role sharing is the nature of the problem. If you configure priv_method in folder2 such that it is only viewable by folder2_admin, you won't be able to see it if your role is folder1_admin. This suggests that the roles required for privileged operations should be tailored very carefully so as to available only to those intended to have them. Re-using roles is too permissive in most cases. Or have you really found a way to circumvent site-specific roles?
3. Disable/restrict "view folder contents" permissions for all folders
I don't see this permission anywhere... Do you mean "Access contents information" ?
Yes... that's what it's called. I think it was "view folder contents" at one point, but it's obviously not called that any more. :-)
I would add that turning off WebDAV access for anonymous users is a good idea.
Absolutely. Dylan